Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Is this a safe way to deal with password resets?

Is this a safe way to deal with password resets?

TaylorTaylor Member
edited July 2012 in General

Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail. https://twitter.com/UKTesco/status/229542141012107265

Looking at this tweet it looks like passwords are just being stored in plain text? Surely this is not a safe way to deal with password resets?

I know, I'm Dale Maily.

Comments

  • JackJack Member

    Paha , Asda's better.

  • MrAndroidMrAndroid Member
    edited July 2012

    @Taylor said: Surely this is not a safe way to deal with password resets?

    No it is not, but every little helps.

    Even to hackers :)

    Daniel.

  • jarlandjarland Member
    edited July 2012

    I just send out the database to the client on password resets. It's easier. Just look for yours. It's all in plain text anyway because who likes database entries that can't be read?

    jarland.me | Read about my new hosting experiment.

    Thanked by 1yomero
  • RandyRandy Disabled

    hackers will still find ways

  • ReeRee Member

    Based on the fact that they're saying "Passwords are stored in a secure way" I assume that means they're encrypting the passwords, which means they can then decrypt them for the purpose of the "forgot your password?" email.

    It's fine and good to encrypt all the other personal information, but encryption is not the recommended way to store passwords. Instead it's better to hash, and more importantly, to hash properly, which from what I've seen with some of the recent database leaks, not many people know how to do.

  • DamianDamian Member

    If you can convert encrypted text back to plain text, it's not secure.

    Not the biggest, just the best: IPXcore
    Thanked by 1Gary
  • gsxgsx Member

    Well if you provide the customer with a temporary password and have them change the password through your control panel/system, then the password would only be known to them and in a encrypted form.

  • This is stupid, and they should be firing someone over it. If a hacker can get to your customer database, they can get the script with your password key in it. This is much much less secure than hashing.

  • GaryGary Member

    There should never be password reminder emails. Hell, there should never be sign-up emails that contain your password, for that matter.

    Forgotten your email? Then we'll email you a link to visit, that'll allow you to change your password.

  • jarlandjarland Member
    edited July 2012

    Oh come on...an email with a generated password is fine. It's up to the user to change it. Let's not act like we're storing military secrets here.

    jarland.me | Read about my new hosting experiment.

  • They're not sending you an email with a generated password (which I agree is fine, but only if you're forcing the user to change that password immediately upon logging in)d. They're sending you an email with YOUR password, but claiming they still store your password securely. This means they're probably using symmetric-key encryption to store passwords, and there's a script or something on their site that's going to have a copy of their encryption key in it.

  • gsrdgrdghdgsrdgrdghd Member
    edited July 2012

    @Soylent said: They're sending you an email with YOUR password, but claiming they still store your password securely.

    If someone explains a joke it isn't funny anymore :(

    Anyway i wonder how that Tweet hasn't been deleted yet?

    President Of Operations/CEO/CFO/CTO/COO of my account
    image

  • TaylorTaylor Member

    Looks like they are running out dated software and could not give a monkeys about security.

    http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html

    I know, I'm Dale Maily.

Sign In or Register to comment.